Sniffer Technologies Information for VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Status

Affected

Vendor Statement

      SNMP Request and Trap Handling Security Advisory
      Revision 1.0
      Release Date: 03/01/02

      Sniffer Technologies has prepared this advisory regarding SNMP in
      Sniffer Technologies products.  This advisory contains specific
      instructions on how to disable these services where security may be an
      issue.

      An update regarding this issue will be sent to all Sniffer Technologies
      customers on Wednesday, March 13, 2002.  The Sniffer Technologies team
      is working diligently to fully resolve this issue.  If you have further
      questions in the interim, please contact technical support.

      What is the SNMP security risk?

      On February 12, 2002, The CERT Coordination Center issued a warning that
      a broad array of network equipment used on the Internet -- including
      switches, routers, hubs, printers and operating systems -- may be
      vulnerable to an SNMP-related attack that could cause equipment to fail
      or allow an attacker to take control of it. Though not mentioned on
      their list of vendors, our Sniffer Distributed product is another such
      device that may have this inherent SNMP vulnerability because of its
      RMON/SNMP capabilities.

      There are two areas in our product that can be affected by this security
      concern.

      1. The RMON/SNMP features of our Sniffer Distributed Appliance
      2. The Trap Capture application at our SniffView Console

      In both cases, these SNMP commands can be disabled on our product if not
      in use.

      Can I avoid using these features in the Sniffer Distributed Product
      without affecting the capabilities of the Sniffer Product?

      Yes, you can disable the SNMP/RMON capabilities of the product and
      utilize our proprietary method of logging network statistics and Expert
      Symptom and Diagnosis to disk for reporting with Reporter and/or Sniffer
      Watch.  This method does not utilize SNMP and therefore is not
      susceptible to the SNMP vulnerability.  You will still have the same
      statistics and reports that are available using the SNMP/RMON features
      of the product, with the addition of the Expert Symptoms and Diagnosis
      which are unique to our method of logging and reporting.

      How do I turn off these SNMP capabilities in the product?

      Turning off SNMP at the Sniffer Distributed Appliance:
      By default, the SNMP and RMON features of the Sniffer Distributed
      Appliance are enabled.  To turn off these features, follow the
      procedures below.

      1. Either Start Probe Viewer at the Sniffer Distributed Appliance, or
      "Configure" an Agent from your SniffView Console.
      2. Select the SNMP tab.
      3. Disable SNMP Trap
      4. Disable SNMP/RMON.
      5. Restart the Sniffer Distributed Appliance for changes to take effect.

      Turning off the SNMP Trap Capture at the SniffView Console:

      By default, when you install the SniffView Console a program called Trap
      Capture automatically gets installed and runs in the background.   This
      program can accept SNMP Traps from Sniffer Distributed Appliances as
      well as other SNMP devices.  Follow the procedures below to turn it off:

      1. Start the SniffView Alarm Manager.
      2. Select Toggle Trap capture.  The Trap capture program will be
      disabled. However, if you reboot the PC the SniffView Console is running
      on it will turn itself back on.  Therefore you must remember to disable
      it again.

      Will these features be disabled in the future?

      Yes, the SNMP/RMON features of the product will be disabled by default
      starting with the Sniffer Distributed v4.1 (with Support for Web
      Console) version.

      What if I require these features?

      If you require these features then there are a few steps that you can
      take to protect yourself from this security concern.

      1.    Under the SNMP Tab (see above) Change Community name from "public" to
      something else.
      2.    Using routers and/or firewalls, control SNMP access to the Sniffer
      Distributed Appliances or SniffView Console to ensure the traffic
      originates from known management systems and addresses.
      3.    Filter SNMP services at your network perimeter (ingress/egress
      filtering).
      4.    Segregate network management traffic onto a separate network. (i.e. a
      VPN) Refer to CERT advisory CA-2002-03
      (http://www.cert.org/advisories/CA-2002-03.html) for more details and
      the most recent information regarding recommended solutions.

      How will this security concern affect my network?

      This issue has the potential to create a denial of service attack. An
      attacker sending bogus SNMP requests and traps could flood the Sniffer
      Distributed Appliance and/or SniffView console running the Trap Capture
      application.  This might cause the system to hang and may require a
      reboot.

      An attacker should not be able to configure or take control of either
      the Sniffer Distributed Appliance or the SniffView Console.

      Has anyone reported an exploitation of this vulnerability on a Sniffer
      Distributed system?

      No.


      Have we notified CERT of our concern?

      Yes

      Where can I find out more information regarding this security concern?
      For more information regarding this vulnerability please refer to the
      following URLs on CERT's web site:
      http://www.cert.org/advisories/CA-2002-03.html
      http://www.cert.org/tech_tips/snmp_faq.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.